Method and system for application-based policy monitoring and enforcement on a mobile device

ABSTRACT

A method and system for application-based monitoring and enforcement of security, privacy, performance and/or other policies on a mobile device includes incorporating monitoring and policy enforcement code into a previously un-monitored software application package that is installable on a mobile device, and executing the monitoring and policy enforcement code during normal use of the software application by a user of the mobile device.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of, and claims the benefit of andpriority to U.S. Utility application Ser. No. 13/411,072, filed Mar. 2,2012, which is U.S. Pat. No. 8,844,036, issue date Sep. 23, 2014, and isincorporated herein by this reference in its entirety.

GOVERNMENT RIGHTS

This invention was made in part with government support under grantnumber CNS-0716612 awarded by the National Science Foundation andcontract number W911NF-06-1-0316 awarded by The United States ArmyResearch Laboratory. The Government has certain rights in thisinvention.

BACKGROUND

Traditionally, products such as music players, cameras, video recorders,video games, web browsers, Global Positioning System (GPS)locators/navigators, clocks, telephones, and messaging systems wereenabled by different electronic devices. More recently, many features ofthese products have converged onto unitary mobile devices such assmartphones, e-readers, and tablet computers. As a result, softwareapplications exploiting these features have been and continue to bedesigned for mobile devices. These applications are often capable ofstoring large amounts of potentially sensitive or private information ona mobile device and communicating with other devices or remote systemsover public and/or unsecured networks, with or without the user'sknowledge.

The number of software applications that can be downloaded to mobiledevices from public “application stores” or “markets” has exploded inrecent years. In particular, the amount of downloadable malwaremasquerading as legitimate applications is on the rise, and new forms ofmalware seem to appear every day. It can be extremely difficult forusers to distinguish “benign” applications from those that have amalicious intent. Even if an application is not intended as malware, itmay perform activities that would be considered objectionable by someusers. For these and other reasons, mobile devices are increasinglyvulnerable to security attacks and/or privacy breaches as a result ofapplication downloads.

SUMMARY

According to at least one aspect of this disclosure, a method includes,with at least one computing device, processing a software applicationexecutable by a mobile device to obtain a plurality of components of thesoftware application, and associating at least one second component withat least one of the components of the software application. The at leastone second component is configured to, during execution of the softwareapplication and without modifying the components of the softwareapplication, determine whether the software application is attempting toperform a potentially unauthorized activity. The method also includescreating a software application package comprising the components of thesoftware application and the at least one second component, where thesoftware application package is adapted for installation on the mobiledevice.

In some embodiments where the mobile device includes at least onecomputer-accessible medium and an operating system stored in the atleast one computer-accessible medium, the method may include installingthe at least one second component on the mobile device without modifyingthe operating system.

The components of the software application may include unsecuredcompiled components and the at least one second component may include atleast one compiled component configured to secure the softwareapplication against potentially unauthorized activity. The method mayinclude creating a single executable file based on the components of thesoftware application and the at least one second component withoutmodifying the components of the software application.

The method may include configuring the software application package sothat after the software application starts, at least one of the secondcomponents executes prior to executing the software application. In someembodiments, where the software application is embodied in a firstsoftware application package that includes a manifest file, the methodmay include updating the manifest file to cause at least one of thesecond components to execute after the software application is startedand prior to execution of the software application. In some embodimentswhere the software application is embodied in a first softwareapplication package and the first software application package includesa first digital certificate, the method may include signing the softwareapplication package with a second digital certificate. In someembodiments where the mobile device includes a device-specific securitysystem, the method may include installing the second softwareapplication package on the mobile device without modifying thedevice-specific security system.

The method may include defining at least one policy for determiningwhether the software application is attempting to perform a potentiallyunauthorized activity and using the at least one policy to configure atleast one of the second components. The method may include receivinginput from a user of the mobile device and defining the at least onepolicy based on the input from the user. The method may include definingat least policy relating to at least one of: application security,application performance, device security, privacy, network security,privilege escalation, a sequence of events, native code, and non-nativecode.

Also, according to at least one aspect of this disclosure, a methodincludes, after a software application including code interpretable as asystem call to an operating system object is started and loaded intomemory for execution by a mobile device, and prior to execution of thesoftware application by the mobile device, at least temporarilyassociating the operating system object with a security and/or privacymonitoring routine, such that during execution of the softwareapplication, the security and/or privacy monitoring routine is executedprior to execution of the at least one system call.

The method may include determining a memory address of the operatingsystem object, and at least temporarily associating the operating systemobject with a memory address of the security and/or privacy monitoringroutine. In embodiments where the mobile device includes adevice-specific security system, the method may include associating theoperating system object with a memory address of the security and/orprivacy monitoring routine independently of the device-specific securitysystem. The method may include using dynamic linking to associate, atleast temporarily, the operating system object with a memory address ofa security and/or privacy monitoring routine.

Further, according to at least one aspect of this disclosure, a methodincludes detecting, during execution of a software application by amobile device on which an operating system is running, by anon-operating system software routine interfacing with the softwareapplication, and without modifying the operating system, the softwareapplication initiating a system call to the operating system. The methodalso includes, prior to execution of the system call by the operatingsystem: determining, by the non-operating system software routineinterfacing with the software application, based on the system call,whether the software application is attempting to perform a potentiallyunauthorized activity; and determining, by the non-operating systemsoftware routine interfacing with the software application, whether toexecute the system call in response to determining whether the softwareapplication is attempting to perform a potentially unauthorizedactivity.

In embodiments where the mobile device operating system includes adevice-specific security system, the method may include determiningwhether the software application is attempting to perform a potentiallyunauthorized activity independently of the device-specific securitysystem. The method may include determining whether the softwareapplication is attempting to perform a potentially unauthorized activitybased on at least one security and/or privacy policy. The at least onesecurity and/or privacy policy may be associated with at least one ofthe system call, the software application, and a user of the mobiledevice.

The method may include analyzing at least one argument associated withthe system call and determining whether the software application isattempting to perform a potentially unauthorized activity based on theat least one argument. Where the system call may be associated with aninter-process communication, the method may include processing the atleast one argument of the system call to determine at least oneparameter associated with the inter-process communication, anddetermining whether the software application is attempting to perform apotentially unauthorized activity based on at least one of theparameters associated with the inter-process communication.

The method may include determining whether an argument of the systemcall is associated with an application that is known or suspected to bemalicious by referring to a remote service. The method may includedetermining whether the system call comprises one of connect( ), ioctl(), fork( ), execvp( ), and dlopen( ). The method may include associatingthe system call with at least one policy for blocking the execution ofsystem calls and determining whether to execute the system call based onthe at least one policy. The method may include determining whether thesystem call is configured to initiate one or more of loading nativecode, establishing a communication connection to a remote device,sending a message, executing a computer program, requesting an input oroutput, creating a child process, and linking of a library.

The method may include receiving input relating to the system call froma user of the mobile device prior to executing the system call anddetermining whether to execute the system call, continue executing thesoftware application without executing the system call, or discontinueexecution of the software application, in response to the input from theuser of the mobile device. The method may include not executing thesystem call in response to the input from the user of the mobile device.The method may include storing the input from the user, detecting thesoftware application initiating a second system call to the operatingsystem, accessing the stored input in response to detecting the secondsystem call, and determining whether to execute the second system callbased on the stored input.

The method may include displaying a message relating to the system callat the mobile device during execution of the software application. Themethod may include displaying, at the mobile device, an indicatorrepresenting a degree of maliciousness of the system call.

Additionally, according to at least one aspect of this disclosure, anelectronic device includes at least one processor, at least one memorydevice coupled to the at least one processor, the at least one memorydevice having stored therein a plurality of instructions that whenexecuted by the at least one processor, cause the at least one processorto process a first application package including a software applicationexecutable by a second electronic device to obtain at least one compiledcomponent of the software application and associate at least onesecurity and/or privacy monitoring routine with the at least onecompiled component of the software application. The at least onesecurity and/or privacy monitoring routine is configured to, duringexecution of the software application by the second electronic deviceand without modifying the at least one compiled component of thesoftware application, determine whether the software application isattempting to perform a potentially unauthorized activity. Theelectronic device is also configured to create a second applicationpackage comprising the software application and the at least onesecurity and/or privacy monitoring routine, where the second applicationpackage is adapted for installation by the second electronic device.

The electronic device may include a network interface adapted toinitiate sending of the second software application package to thesecond electronic device over a network configured to facilitateelectronic communications between electronic devices. The electronicdevice may be configured to receive the first application package fromthe second electronic device via the network interface.

Further, according to at least one aspect of this disclosure, at leastone computer accessible medium includes a plurality of instructions thatin response to being executed, result in a mobile computing device, inresponse to a request to download an application package including atleast one executable software application to the mobile computingdevice: initiating the creation of a new application package comprisingthe at least one software application and at least one security and/orprivacy monitoring routine. The at least one security and/or privacymonitoring routine is configured to, during execution of the softwareapplication, determine whether the software application is attempting toperform a potentially unauthorized activity. The instructions mayinclude initiating the installation of the new application package onthe mobile computing device. The instructions may include initiatingcreation of the new application package at a second computing devicecommunicatively coupled to the mobile computing device by a network andinitiating downloading of the new application package to the mobilecomputing device.

BRIEF DESCRIPTION OF THE DRAWINGS

Aspects of this disclosure are illustrated by way of example and not byway of limitation in the accompanying figures. The figures may, alone orin combination, illustrate one or more embodiments of various aspects ofthis disclosure. For simplicity and clarity of illustration, elementsillustrated in the figures are not necessarily drawn to scale. Forexample, the dimensions of some elements may be exaggerated relative toother elements for clarity. Further, where considered appropriate,reference labels may be repeated among the figures to indicatecorresponding or analogous elements.

FIG. 1 is a simplified block diagram of at least one embodiment of anapplication-based security and/or privacy monitoring and enforcementsystem;

FIG. 2 is a simplified flow diagram of at least one embodiment of amethod for creating an application package including an application andsecurity and privacy monitoring and enforcement code;

FIG. 3 is a simplified flow diagram of at least one embodiment of amethod for at least temporarily redirecting application flow to securityand privacy monitoring and enforcement code;

FIG. 4 is a simplified flow diagram of at least one embodiment of amethod for intercepting a system call;

FIG. 5 is a simplified flow diagram of at least one embodiment of amethod for enforcing security and/or privacy policies; and

FIG. 6 is a simplified block diagram of at least one embodiment of acomputing environment in connection with which aspects of the system ofFIG. 1 may be implemented.

DETAILED DESCRIPTION OF THE DRAWINGS

While the concepts of the present disclosure are susceptible to variousmodifications and alternative forms, specific exemplary embodimentsthereof have been shown by way of example in the drawings and willherein be described in detail. It should be understood, however, thatthere is no intent to limit the concepts of the present disclosure tothe particular forms disclosed, but on the contrary, the intention is tocover all modifications, equivalents, and alternatives falling withinthe spirit and scope of the invention as defined by the appended claims.

In the following description, numerous specific details are set forth inorder to provide a more thorough understanding of the presentdisclosure. It will be appreciated, however, by one skilled in the artthat embodiments of the disclosure may be practiced without suchspecific details. In some instances, details such as control structuresand full software instruction sequences have not been shown in order notto obscure the invention. Those of ordinary skill in the art, with theincluded descriptions, will be able to implement appropriatefunctionality without undue experimentation.

References in the specification to “one embodiment,” “an embodiment,”“an illustrative embodiment,” etc., indicate that the embodimentdescribed may include a particular feature, structure, orcharacteristic, but every embodiment may not necessarily include theparticular feature, structure, or characteristic. Moreover, such phrasesare not necessarily referring to the same embodiment. Further, when aparticular feature, structure, or characteristic is described inconnection with an embodiment, it is submitted that it is within theknowledge of one skilled in the art to effect such feature, structure,or characteristic in connection with other embodiments whether or notexplicitly described.

Embodiments of the invention may be implemented in hardware, firmware,software, or any combination thereof. Embodiments of the invention mayalso be implemented as instructions carried by or stored on a transitoryor non-transitory machine-readable medium, which may be read andexecuted by one or more processors. A machine-readable medium may beembodied as any device, mechanism or physical structure for storing ortransmitting information in a form readable by a machine (e.g., acomputing device). For example, a machine-readable medium may beembodied as read only memory (ROM); random access memory (RAM); magneticdisk storage media; optical storage media; flash memory devices; mini-or micro-SD cards, memory sticks, electrical signals, and others.

In the drawings, specific arrangements or orderings of schematicelements, such as those representing devices, instruction blocks anddata elements, may be shown for ease of description. However, it shouldbe understood by those skilled in the art that the specific ordering orarrangement of the schematic elements in the drawings is not meant toimply that a particular order or sequence of processing, or separationof processes, is required. Further, the inclusion of a schematic elementin a drawing is not meant to imply that such element is required in allembodiments or that the features represented by such element may not beincluded in or combined with other elements in some embodiments.

In general, schematic elements used to represent instruction blocks maybe implemented using any suitable form of machine-readable instruction,such as software or firmware applications, programs, functions, modules,routines, processes, procedures, plug-ins, applets, widgets, codefragments and/or others, and that each such instruction may beimplemented using any suitable programming language, library,application programming interface (API), and/or other softwaredevelopment tools. For example, some embodiments may be implementedusing Java, C, C++, a combination of any of these, and/or otherprogramming languages.

Similarly, schematic elements used to represent data or information maybe implemented using any suitable electronic arrangement or structure,such as a database, data store, table, record, array, index, hash, map,tree, list, graph, file (of any file type), folder, directory or othergrouping of files, header, web page, meta tag, and/or others.

Further, in the drawings, where connecting elements, such as solid ordashed lines or arrows, are used to illustrate a connection,relationship or association between or among two or more other schematicelements, the absence of any such connecting elements is not meant toimply that no connection, relationship or association exists. In otherwords, some connections, relationships or associations between elementsmay not be shown in the drawings so as not to obscure the invention.Also, for ease of illustration, a single connecting element may be usedto represent multiple connections, relationships or associations betweenelements. For example, where a connecting element represents acommunication of signals, data or instructions, it should be understoodby those skilled in the art that such element may represent one ormultiple signal paths, as may be needed, to effect the communication.

Referring now to FIG. 1, a security, privacy, performance and/or otherpolicy monitoring and enforcement system 100 is configured to operate inrelation to a software application package 128 that includes at leastone machine-executable software application 130, the execution of whichmay be initiated by an end user. The illustrative security, privacy,performance and/or other policy monitoring and enforcement system 100includes an application repackager 114 and one or more security,privacy, performance, and/or other policies 166. As explained in moredetail below, the application repackager 114 can be initiated by a userof a mobile computing device 112, for example, to apply monitoring codeto the software application package 128 in accordance with one or moreof the security, privacy, performance, and/or other policies 166, priorto, during, or after download or installation, without making anychanges to source code for the software application 130 and withoutmodifying the operating system or other programs that may be running onthe mobile computing device 112.

As indicated by the dotted arrows 170, 172, the application repackager114 creates a new (e.g., “secured, “optimized,” or “monitored”) softwareapplication package 148 based on the software application package 128.In addition to the software application 130, the illustrativeapplication package 148 includes security, privacy, performance, and/orother monitoring and enforcement code (“MEC”) 160, 162, 164. Asdescribed below, the application repackager 114 converts the applicationpackage 128 to one or more component software files of the softwareapplication 130, uses the policies 166 to configure the MEC 160, 162,164, associates the MEC 160, 162, 164 with the software application 130,and creates the new application package 148. Once the applicationpackage 148 is downloaded to (or otherwise made available for use by)the mobile computing device 112 (or another electronic device), the MEC160, 162, 164 monitors the software application 130 as it runs and canat least temporarily prevent the software application 130 from engagingin potentially unauthorized activities without the user's permission, orfrom engaging in potentially unoptimized program flow and/or otheractivities that may be desirable to be monitored, depending on theparticular requirements and/or features of the software application 130and/or other factors.

The illustrative application package 128 may be embodied as aself-contained application “package,” which includes one or moresoftware components, such as files, programs, libraries, resources,utilities, and/or other items that may be needed by the softwareapplication 130 during execution. For instance, in embodiments where thesoftware application 130 may be configured for use by an ANDROID orsimilar device, the software application 130 may include Activity,Service, Content Provider, and/or Broadcast Receiver softwarecomponents. In some embodiments, the application package 128 may includea number of software component files that are “zipped” or otherwisegrouped together and/or compressed. For example, in some embodiments,the application package 128 may include a combination of compiled anduncompiled software components. In embodiments where the softwareapplication 130 may be configured for use by an ANDROID or similardevice, the application package 128 may include one or more JAVAbytecode files, which may be converted into a single executable file(e.g., a “classes.dex” file); one or more compiled applicationresources, which may include an application “manifest” file (e.g.,“AndroidManifest.xml”) or similar file; one or more resource files(e.g., “resources.arsc”), a digital certificate (e.g., “cert.rsa”),and/or one or more other, uncompiled files (e.g., native code librariesand/or routines implemented using a “lower-level” programming language,such as C or C++).

In some embodiments, downloading and/or installation of the applicationpackage 128 may be initiated by a user. For example, in someembodiments, the application package 128 may be downloaded from, e.g.,the computing device 110, to the mobile computing device 112, and/orinstalled on the mobile computing device 112, prior to, during or afteroperation of the application repackager 114. Downloading and/orinstallation may be accomplished by a user selecting, “clicking” orotherwise activating an icon, graphic, or text representative of theapplication package 128, which may be displayed on a graphical userinterface of the mobile computing device 112 (e.g., via a networkconnection to an “app store” or “market”). Once the application package128 is downloaded and installed, the software application 130 can beexecuted on the mobile computing device 112 (e.g., by a user selectingor clicking on an icon, graphic or text displayed on a user interface ofthe mobile computing device 112).

In FIG. 1, the illustrative application package 128 resides in one ormore computer-accessible media (e.g., memory) of the computing device110. In some embodiments, the computing device 110 is embodied as anelectronic device that has computing capabilities, such as a smartphone,e-reader, tablet computer, netbook, portable media player or recorder,smart TV, smart appliance, and/or others, and the application package128 is configured to install the software application 130 on such adevice. In some embodiments, the computing device 110 and the mobilecomputing device 112 may be the same device. In other embodiments, thecomputing device 110 may be embodied as a networked computer system oras a laptop, desktop, server, enterprise system, and/or others, on whichthe application package 128 is stored.

In some embodiments, where the software application 130 may be speciallyconfigured to run on a certain type of device, the application package128 may be stored on the computing device 110 but the softwareapplication 130 may not be executable thereby. Such may be the case, forexample, in embodiments where the software application 130 may bespecially configured to run on a mobile computing device and thecomputing device 110 is not such a device, but operates as anapplication store or market that makes software application packagesavailable for downloading to mobile devices.

For ease of discussion, FIG. 1 assumes that the software application 130can be executed by the computing device 110, and depicts components ofthe computing device 110 during execution of the software application130 (e.g., at runtime). In embodiments where the software application130 is specially configured to run on a certain type of computing device(such as the mobile computing device 112) and the computing device 110is not such a device, the following discussion applies to execution ofthe software application 130 on a device for which it has been speciallyconfigured.

To initiate execution of the software application 130, a user starts (or“launches”) the software application 130 by “clicking” on (or otherwiseactivating, using, e.g., voice or touch) an icon, graphic, or text labelrepresenting the software application 130. After the softwareapplication 130 is started, the software application 130, as well as anyapplicable application programming interfaces (APIs) 132, operatingsystem (O/S) interface objects 124, and the operating system 126, areloaded into at least one memory 120 (with at least the operating system126 typically having been already loaded into memory prior to the startof the software application 130, e.g., at boot-up of the computingdevice 110).

At runtime, the software application 130 may interact with one or moreof the APIs 132. Generally speaking, the APIs 132 are configured tointeract with one or more of the operating system interface objects 124to execute computer logic and/or operations specified by the softwareapplication 130. The operating system interface object(s) 124 interactdirectly with the operating system 126 to cause at least one processor122 of the computing device 110 to execute machine-readable instructions(e.g., logic and/or operations) corresponding to one or more features ofthe software application 130. For the purposes of this disclosure, thefeatures of the software application 130 can be arbitrary and mayinclude digital media players or recorders, cameras, video cameras,games, web browsers, Global Positioning System (GPS)locators/navigators, clocks, telephones, messaging systems, electronicmail, calendaring systems, social networking systems, e-commercesystems, search engines, content retrieval and/or delivery systems,personal productivity applications, and/or “lifestyle” applications, toname a few, and/or any combination of any of the foregoing and/orothers. As described below, the illustrative embodiments of theapplication repackager 114 and the MEC 160, 162, 164 are configured tooperate independently of, or irrespective of, the particular features ofthe software application 130. Also, in the illustrative embodiments, theapplication repackager 114 and the MEC 160, 162, 164 are not part of orassociated with the operating system 126.

In some embodiments, the operating system 126 may be embodied as anopen-source operating system such as LINUX. In other embodiments, theoperating system 126 may be embodied as a proprietary operating systemsuch as MICROSOFT WINDOWS or APPLE IOS. In some embodiments, thesoftware application 130 may be embodied as higher-level programmingcode (using, for example, a device-independent programming language suchas JAVA, which may be compiled to bytecode or other executable form) ora combination of higher-level programming code and lower-level (e.g.“native”) programming code (using, for example, a processor- oroperating system-specific version of a programming language such as C orC++). In some embodiments, the APIs 132 may include both higher-level(e.g. JAVA) API libraries and/or objects and lower-level (e.g., C orC++) API libraries and/or objects. In some embodiments, the operatingsystem interface objects 124 may include one or more operatingsystem-specific libraries and/or objects, for example, a “C” librarysuch as “libc” or WINDOWS API. The operating system interface objects124 can be accessed during execution of the software application 130using a low-level programming mechanism known as a system call.Additional aspects of the computing device 110, including exemplaryembodiments of the memory 120 and the processor 122, are described belowwith reference to FIG. 6.

The illustrative application repackager 114 is embodied as one or morecomputer-executable instructions, routines, programs, or processes. Theapplication repackager 114 may in one or more computer-accessible media(e.g., memory) on one or more of the computing devices 110, 112, or onone or more other computing device(s) that may be coupled to one or moreof the computing device(s) 110, 112, e.g., via a communications networkas shown in FIG. 6. The application repackager 114 configures thesecurity, privacy, performance, and/or other monitoring and enforcementcode, which includes, illustratively, a MEC redirecter 160, a MEC systemcall intercepter 162, and a MEC policy enforcer 164, and associates theMEC 160, 162, 164 with the software application 130. During thisprocess, the illustrative application repackager 114 accesses thepolicies 166 and configures the MEC 160, 162, 164 based on one or moreof the policies 166.

The policies 166 may be embodied as one or more databases, data files,look-up tables, or other suitable data structure(s). The policies 166may reside in one or more computer-accessible storage media (e.g.,memory) on one or more of the computing devices 110, 112, or on one ormore other computing device(s) that may be coupled to one or more of thecomputing device(s) 110, 112, e.g., via a communications network asshown in FIG. 6. As described below, the policies 166 includeinformation relating to security, privacy, performance, and/or otherparameters that may be used by the application repackager 114 toconfigure the MEC 160, 162, 164 so that, during execution of thesoftware application 130, the MEC 160, 162, 164 executes policy logic todetermine whether the software application 130 is attempting to engagein a potentially unauthorized activity, unoptimized execution, and/orother activity that may be monitored. Some or all of the policies 166may be pre-defined or pre-configured (e.g., as “default” policies), ormay be automatically configured, based on, for example, one or moreaspects of the computing device 110, 112, the software application 130,and/or other factors.

The illustrative application repackager 114 includes a user interface(e.g., the exemplary user interface 116), which allows the user tocreate and/or customize one or more of the policies 166 to be used inconnection with the securing, optimizing, or other monitoring of thesoftware application 130. Any or all of the policies 166 may bespecified for a particular software application 130 or may be applicableto one or more other software applications, alternatively or inaddition.

Referring to the illustrative user interface 116, the user can specifywhether the software application 130 is permitted to engage in certainspecific activities, with or without the user's permission, or whetherany or all system calls (described below) initiated by the softwareapplication 130 should be permitted or blocked. For example, if the userselects “Yes” for any of the configurable activities, the softwareapplication 130 may perform the activity without informing the user orprompting the user for permission. If the user selects “No” for any ofthe configurable activities, the MEC 160, 162, 164 may cause thesoftware application 130 to quit if the software application 130attempts to perform the activity. If the user selects “Custom,” then theuser may further “fine tune” the permission setting, e.g., byidentifying only certain instances in which the software application 130is or is not permitted to engage in the activity, by specifying that theuser is to be prompted before the software application 130 proceeds withthe activity, by indicating that the software application 130 maycontinue executing without performing the activity (rather than quittingaltogether), or otherwise. It should be appreciated by those skilled inthe art that the list of activities shown in the illustrative userinterface 116 is not intended to be an exhaustive list and that otheractivities may similarly be configured, alone or in combination withothers.

For example, one or more policies 166 may be defined (e.g., by a user oran automated process) to prevent the software application 130 fromaccessing certain types of data and/or to prohibit the softwareapplication 130 from executing certain commands without the user'spermission. This includes not only attempts by the software application130 to access sensitive information that may be stored on the computingdevice 110, 112 and communicating sensitive information to unauthorizedrecipients, but also attempts by the software application 130 toescalate privilege or gain root access on the computing device 110, 112(e.g., by running suspicious system calls and/or loading nativelibraries).

Some examples of privacy policies that may be implemented using thepolicies database 166 include policies to protect sensitive or privatedata of the user, which may include the International Mobile EquipmentIdentity (IMEI), the International Mobile Subscriber Identity (IMSI),phone number(s) associated with or stored on the computing device 110,112 and/or other devices, geographic location information and/orassociations of location information with other information (obtainedby, e.g., a GPS application stored on the computing device 110, 112and/or other devices), date and/or time information (and/or associationsof date/time information with other information), stored SMS messages,status updates, e-mail messages, voice messages and/or other messages,calendar entries, task list entries, contact list or address bookentries, phone conversations, photographs, videos, and/or others.

Some examples of security policies that may be implemented using thepolicies database 166 include policies to prevent the softwareapplication 130 from sending SMS messages or other types of messages,from activating the device's camera (e.g., photo or video), voicerecorder, Internet browser, and/or other peripheral devices orapplications. Some examples of network policies that may be implementedusing the policies database 166 include policies to regulate how thesoftware application 130 is permitted to interact with one or morecommunication networks to which it may connect or be connected (e.g.,wired or wireless Ethernet (WIFI), cellular, and/or other networks).

For example, network policies can be defined to restrict the softwareapplication 130's Internet access to only a particular web domain or setof IP addresses and/or restrict the software application 130's abilityto connect to one or more remote Internet Protocol (IP) addresses thatare known or suspected to be malicious. In some embodiments, this may bedone by consulting an IP address registry or “blacklist” (using, e.g., autility such as BOTHUNTER), during repackaging by the applicationrepackager 114 and/or at runtime (e.g., by the MEC policy enforcer 164).In some embodiments, one or more network policies may be set to indicateto the user a relative degree of maliciousness of a suspect IP addressand/or prompt the user for input as to whether to proceed with theremote connection based on the degree of maliciousness. In someembodiments, this may be done by, for example, color coding the warningmessages, using audible and/or other visual cues or signals, and/orother suitable techniques.

In some embodiments, one or more privilege escalation policies may bedefined in the policies 166 to warn the user when the softwareapplication 130 is attempting to invoke a suspicious system call orsequence of system calls that appears to be suspicious. For example, aprivilege escalation policy may require the user to be notified beforethe software application is permitted to execute a “su” (super user)command or similar command to gain greater control over the computingdevice 110, 112, or may prevent such attempts altogether. Similarly, oneor more policies may be defined to prevent the software application 130from loading a native code library, executing native code without theuser's permission.

Further, the present invention is not necessarily limited to securityand privacy applications. In some embodiments, the MEC 160, 162, 164and/or the one or more of the policies 166 may be configured to monitorexecution of the software application 130 with respect to one or moreother concerns, such as performance. For example, in some embodiments,the MEC 160, 162, 164 may be configured to intercept system calls thatare commonly associated with certain scarce computing resources (e.g.,bandwidth or power consumption) and deny execution of the interceptedsystem calls if it is determined pursuant to an applicable policy thatthe system calls should not be permitted to execute (e.g., if too manyof a certain system call or type or group of system calls are being madeby the software application 130). It will be appreciated by thoseskilled in the art that many other policies and/or combination ofpolicies, including any combination of any of the foregoing and/orothers, may be implemented as policies 166 in a similar fashion.

Once the policies 166 are defined for the software application 130, theapplication repackager 114 configures the MEC 160, 162, 164 to implementthe policies 166 in the repackaged application 148. For example, the MEC160, 162, 164 may include computer logic configured to allow certainactivities (e.g., certain system calls, input/output (I/O) requests,inter-process communication (IPC) requests, requests to connect toremote servers, and/or others) to proceed while disallowing others,based on the type of system call and/or one of its arguments, forexample. As explained further below with reference to FIG. 5, thepolicies 166 are enforced by the MEC policy enforcer 164 duringexecution of the repackaged software application 130.

The application repackager 114 may be embodied as a stand-alone softwareapplication, or may be embedded in or accessed by one or more otherapplications. For example, all or portions of the application repackager114 may be incorporated into other computing systems or softwareapplications that provide security, privacy, performance, and/or othermonitoring or enforcement or that process software applications. Suchapplications or systems may include, for example, tools for creatinguser-executable application packages, application downloading services(such as application markets or “app stores”), anti-virus softwarepackages, performance monitoring tools, application testing tools, codeanalysis tools, security, privacy, authentication, accreditation, and/orcertification services (e.g., Verisign, Better Business Bureau (BBB),etc.).

All or portions of the application repackager 114 may be local to aparticular computing device 110, 112 or may be distributed acrossmultiple computing devices 110, 112. For example, in some embodiments,application repackager 114 may be installed on a mobile device (e.g.,mobile device 112) and executed directly by an end user to “secure” anapplication installed on the device or an application that is about tobe downloaded to or installed on the device. In other embodiments, theapplication repackager 114 may reside in one or more computer-accessiblemedia (e.g., memory) on one or more remote servers (e.g. one or morephysical or logical servers or storage devices accessible by multipleusers), an Internet site (e.g. a server hosting a web page or web-basedapplication), and/or other suitable locations depending on the typeand/or configuration of the particular embodiment. For example, theapplication repackager 114 may be offered as a service by a third-partyprovider. In some embodiments, a user interface portion of theapplication repackager 114 may reside in one or more computer-accessiblemedia (e.g., memory) on a local device (e.g., the mobile computingdevice 112) while the remainder of the application repackager 114resides on one or more remote computing devices. Additional detailsrelating to the application repackager 114 are described below inconnection with FIG. 2.

Referring now to the mobile computing device 112, FIG. 1 depictscomponents of the illustrative mobile computing device 112 duringexecution of the software application 130 (e.g., at runtime) on themobile computing device 112 after the software application 130 has beenrepackaged by the application repackager 114. The same reference numeralis used to refer to the software application 130 both prior to and afterrepackaging in order to show that, in the illustrative embodiments, thesoftware application itself is not modified by the repackaging process.As noted above, the illustrative application package 148 created by theapplication repackager 114 includes the software application 130, theMEC redirecter 160, the MEC system call intercepter 162, and the MECpolicy enforcer 164.

In some embodiments, the mobile computing device 112 may be any type ofelectronic device having the aforementioned computing capabilities. Asmentioned above, in some embodiments, the mobile computing device 112may be the same device as the computing device 110; and/or the APIs 152,O/S interface objects 144, operating system 146, one or more memory 140,and one or more processors 142 may be the same or similar to the APIs132, O/S interface objects 124, operating system 126, memory 120, andprocessor 122, respectively, described above.

For discussion purposes, an illustrative embodiment in which the mobilecomputing device 112 is embodied as an ANDROID device (e.g., a devicerunning the GOOGLE ANDROID operating system or similar open-sourcemobile operating system) will now be described. In the illustrativeembodiment, the operating system 146 includes a LINUX kernel (e.g.,LINUX 2.6), which interfaces with the one or more processors 142 toenable software applications such as the software application 130 to runon the mobile computing device 112. To do this, the illustrativeoperating system 146 includes one or more device drivers that can allowsoftware applications installed on the mobile device 112 to, forexample, interface with one or more peripheral devices (such as acamera, music player, voice recorder, display, keypad, and/or others),to access memory or network interfaces, and/or communicate with otherprocesses. In the architecture of the illustrative operating system 146,the APIs 152 include a number of higher-level (e.g., JAVA) APIs andlower-level (e.g., C++) APIs, some or all of which may be referred to asan “application framework.” The operating system 146 provides a nativecode interface (e.g., JAVA NATIVE INTERFACE), which enables softwareapplications that are written in JAVA to utilize the lower-level APIs.Thus, software applications configured for the mobile device 112(including the software application 130) can be written using acombination of higher-level (e.g., JAVA) and lower-level (e.g., C orC++) programming code. In addition, due to its “open” architecture, theillustrative operating system 146 provides a variety of different APIs152, including a number of APIs 152 that can be used by an applicationto accomplish the same end result in different ways.

The illustrative operating system 146 also provides a number of O/Sinterface objects or libraries 144, which include one or more functionsthat can be invoked by a system call made by an application or by an API152 to interface directly with the operating system 146 (e.g., with theLINUX kernel). The illustrative O/S interface objects 144 include anANDROID-specific version of the standard C library, which may bereferred to as the “Bionic libc.” No matter which API 152 an applicationdeveloper decides to use, the operating system 146 is configured so thatany API 152 requesting a service of the operating system 146 (e.g., theLINUX kernel) will compile down to or be interpreted as a system call toa native function in the Bionic libc. For example, in some embodiments,if an application wants to download a file from the Internet, it canchoose from a number of APIs that may include HttpURLConnection,HttpConnection, Socket, PlainSocketlmpl, and/or others, but each ofthese are ultimately interpreted down to the connect( ) method in thenative C library (e.g., Bionic libc or “libc.so”), which issues thesystem call to the LINUX kernel.

The operating system 146 also provides an application isolationmechanism by which different software applications and system servicesare isolated from each other at runtime. When a software application(e.g., the software application 130) is started, the operating system146 allocates a unique “uid” (e.g., a unique application/processidentifier) to the application so that it runs in its own process. Theoperating system 146 assigns memory space to the application, loads theapplication into its memory space, loads a copy of the applicable APIs152 and the O/S interface objects 144 into the application's memoryspace, and dynamically links the APIs 152 and the O/S interface objects144 with the application. As applications and system services areisolated from each other at runtime (e.g., they each run in their ownprocess), in the illustrative embodiments, a system-level mechanismknown as an inter-process communication (IPC) is invoked any time anapplication wants to communicate with another application or systemservice. The operating system 146 provides a mechanism (which may bereferred to as a “binder”) by which IPCs are handled by the LINUX kerneland communicated by the kernel to the intended recipient of thecommunication. So, for example, if an application wants to send a textmessage, it can use a high-level API such as SMSManager, but internally,this is converted to an IPC call using the O/S binder and is ultimatelyinterpreted down to the ioctl( ) method in the native C library (e.g.,Bionic libc or “libc.so”), which initiates the IPC communication via theLINUX kernel. Examples of functions included in the O/S interfaceobjects 144 in the illustrative embodiments include not only connect( )@ libc.so, ioctl( ) (@ libc.so, but also dlopen( ), fork( ), and execvp() (each, @ libc.so); however, this is intended to be an exemplary, notexhaustive, list.

The illustrative operating system 146 also provides an install-timeapplication permission system (e.g., a device-specific security system650 as shown in FIG. 6). The install-time permission system providesthat, when an application is installed on the mobile device 112, theoperating system 146 identifies to the user any security privilegesand/or permissions that are requested by the application, and the usereither grants or denies the privileges and/or permissions prior toinstallation of the application. If the user denies the requestedprivileges and/or permissions, the application cannot be installed. Asthe application is not installed unless the requested privileges and/orpermissions are agreed to, the application repackager 114 and the MEC160, 162, 164 do not interfere with the device-level install-timepermission system. Rather, the application repackager 114 and the MEC160, 162, 164 allow the user to accept the privileges and/or permissionsrequested by the application at install time, and then enable the userto supplement or “fine tune” those privileges and/or permissions duringrepackaging of the application, via the policies 166.

This is illustrated by the exemplary user interface 118, which mayappear at runtime if the MEC system call intercepter 162 encounters asuspicious system call (such as, in the illustrative example, a systemcall that is trying to send the user's IMEI to an unknown recipient).That is, the fact that the repackaged application 130 is installed onthe mobile computing device 112 (with the MEC 160, 162, 164 associatedtherewith) indicates that the user has agreed to the security privilegesand/or permissions requested by the software application 130 at installtime via the operating system 146's application permission system (e.g.,the device-specific security system 650). Then, as explained furtherbelow, at runtime of the repackaged application 130, the MEC redirecter160 causes system calls (e.g., calls to functions in the Bionic libc orlibc.so) to be redirected to the MEC system call intercepter 162,without modifying the software application 130 or the operating system146. The MEC system call intercepter 162 pre-processes the redirectedsystem call and its arguments, and passes that information on to the MECpolicy enforcer 164. The MEC policy enforcer 164 (having been configuredaccording to the policies 166 by the application repackager 114)determines whether to execute the system call. In some embodiments, asshown by the exemplary user interface 118, the MEC policy enforcer 164prompts the user for input relating to the intercepted system call anddetermines whether to execute the system call based on the user's input.Also, in some embodiments, the MEC policy enforcer 164 may store theuser's input (e.g., in cache memory) for future use (if the softwareapplication 130 attempts to invoke the same system call again, forexample).

Referring now to FIG. 2, an illustrative method 200, which may beimplemented as one or more computer-executable instructions, routines,or processes by which the application repackager 114 may add privacy andsecurity monitoring and enforcement code (e.g., MEC 160, 162, 164) to anapplication package, is shown. At block 210, the method 200 identifiesthe software application to be repackaged. To do this, in someembodiments, the method 200 may process and/or interpret one or morearguments or inputs received by the application repackager 114, whichmay include the application name, location (e.g., directory or folder),and/or other information identifying the application to be repackaged.In the illustrative embodiments, the application to be repackaged is the“unsecured” version of the software application 130 contained in theapplication package 128.

At block 212, the method 200 determines which of the policies 166 areapplicable to the application to be repackaged (e.g., the softwareapplication 130 contained in the application package 128). This may bedone, in some embodiments, based on the type of computing device onwhich the software application 130 is intended to be installed, the typeof software application, user-specified preferences, and/or othercriteria. For example, in some embodiments, computer game applicationsmay have different policies than information-retrieval applications.Also, in some embodiments, the policies 166 may be stored “in the cloud”(e.g., on one or more remote servers), and at least some of the policies166 may be applicable to certain types of devices but not others. As anillustration, a user may own multiple types of computing devices (e.g.,a smartphone, a tablet, and a media player, or two different brands ofsmartphones), and may specify some policies that are applicable to oneor more of those devices but not to the others. The information linkingthe policies 166 and the applicable applications and/or devices may bestored with the policies 166, or in a look-up or mapping table, or othersuitable data structure, which may be accessed by the method 200 atblock 212.

At block 214, the method 200 processes the original application package128; which includes the software application 130 identified at block210, to convert or disassemble it into its constituent components. Usingthe ANDROID example, the application package 128 may be embodied as asingle archive file called an ANDROID APPLICATION PACKAGE or APK file.The APK file includes a compiled manifest file (e.g.,AndroidManifest.xml), the compiled application code (e.g., a classes.dexfile, which contains the application's code in the form of a single dexbytecode file), compiled XML resources such as window layout and stringconstant tables, uncompiled resources such as image and sound files andnative libraries, and a digital signature. The method 200 uses adisassembling tool, such as APKTOOL or SMALI, to disassemble or decodethe classes.dex file into a directory tree structure that maps eachconstituent bytecode file of the application package 128 to a singleJAVA class and maps its directory path to the directory hierarchy. Allof the other components of the application package 128 are also storedin the same directory structure.

At block 216, the method 200 adds (e.g., by copying or moving) the MEC160, 162, 164 to the directory created at block 214, which contains thecomponents of the application package 128. At block 218, the method 200ensures that the MEC 160, 162, 164 will be invoked at runtime ahead ofthe software application 130 by assigning a higher priority to the MEC160, 162, 164 than the software application 130. In the ANDROID example,the compiled (e.g. dex bytecode) manifest file for the applicationpackage 128 is modified to define at least the MEC redirecter 160 as the“Application class,” which will be instantiated by the ANDROID runtimeenvironment when the repackaged software application 130 is started. Ifthere is already an Application class defined in the softwareapplication 130's compiled manifest file, then the existing class ismaintained but its definition is modified so that it inherits from theApplication class defined for the MEC redirecter 160. It should beappreciated that at block 216, modifications are made only to a compiledmanifest file, and not to any executable files of the softwareapplication 130 or to any source code of the software application 130.

At block 220, the method 200 creates the new application package 148including the MEC 160, 162, 164 and the updated application priorityinformation. In the ANDROID example, the method 200 uses an assemblingtool (e.g., APKTOOL or SMALI) to assemble the disassembled bytecodefiles back to dex bytecode form and create the new application package148. The application package 148 includes the updated manifest file andthe MEC 160, 162, 164, in the form of a new APK file. It should beappreciated that at block 220, the MEC 160, 162, 164 is added to theapplication package 148 without modifying the executable files or sourcecode of the software application 130.

At block 222, the new application package 148 is authenticated with adigital signature. In at least the ANDROID example, the method 200creates a new digital certificate and signs the application package 148with the new certificate. The signed application package 148, e.g., the“secured” version of the application package 128, is then ready to beinstalled on a computing device (e.g., the mobile device 112).

Referring now to FIG. 3, an illustrative method 300, which may beimplemented as one or more computer-executable instructions, routines,or processes by which the MEC redirecter 160 may cause low-level systemcalls made by the repackaged software application 130 to be redirectedto privacy, security, performance and/or other monitoring andenforcement code at runtime, is shown. Generally speaking, the MECredirecter 160 operates after the software application 130 is startedbut before the software application 130 begins executing, to, duringexecution of the software application 130, cause system calls tofunctions in the O/S interface objects 144 to be at least temporarilyredirected to the MEC system call intercepter 162. Thus, in FIG. 3, theblocks 310, 312, and 318 depicted with dashed lines are not part of theMEC redirecter 160, but are processes that occur before and after theMEC redirecter 160 operates. At block 310, the repackaged softwareapplication 130 is started as described above. At block 312, therepackaged software application 130 and the MEC 160, 162, 164 areassigned to a process memory space and loaded into memory, and the APIs152 and the O/S interface objects 144 are loaded into the process memoryspace and are dynamically linked to the repackaged software application130. Typically, these steps are performed by operating system utilities,which may be referred to as a “loader” and a “linker,” after thesoftware application 130 is started. In the illustrative embodiments,the dynamic linking creates a mapping table (which may be referred to asa “global offset table” or GOT). The mapping table includes an array offunction pointers of all of the dynamically-linked external functions(e.g., functions accessible via the APIs 152 and/or the O/S interfaceobjects 144) that are referenced by the software application 130 duringits execution. For example, in some embodiments, the mapping table mayinclude a table or listing of function names or identifiers, names oridentifiers of the corresponding objects or libraries in which thefunctions are located, and the memory addresses assigned to thefunctions by the loader at runtime.

The MEC redirecter 160 begins executing after the dynamic linking iscomplete and before the software application 130 begins executing, byvirtue of it having been assigned a higher runtime priority than thesoftware application 130 (e.g., by having been declared as the baseApplication class) by the application repackager 114 at block 218 ofFIG. 2. At block 314, the MEC redirecter 160 preserves the memoryaddresses allocated by the loader at block 312 to the functions in theO/S interface objects 144. In some embodiments, this may be done bysimply making a copy of the mapping table and storing it in one or morecomputer-accessible media (e.g., cache memory).

At block 316, the MEC redirecter 160 associates the system-levelfunctions in the O/S interface objects (e.g., the native C library orlibc.so functions) with the memory address(es) assigned to the MECsystem call intercepter 162 by the loader at runtime. In theillustrative embodiments, this may be done by replacing the originalmapping table or creating a new mapping table and replacing the memoryaddresses of the O/S interface objects 144 with the memory address(es)of the MEC system call intercepter 162. In effect, the MEC redirecter160 simply “re-dos” the dynamic linking to cause the O/S interfaceobjects 144 to be associated with the MEC system call intercepter 162.The end result of this is that, during execution of the repackagedsoftware application 130, which begins at block 318, system calls tofunctions in the O/S interface objects 144 are redirected to the MECsystem call intercepter 162 before they are executed. It should beappreciated that in some embodiments, the MEC redirecter 160 and MECsystem call intercepter 162 may be configured, e.g., by the applicationrepackager 114 according to the policies 166, so that only certainsystem calls are intercepted and redirected at runtime, or so that everysystem call is intercepted and redirected. So as to be able to modifythe process memory, the illustrative embodiments of the MEC redirecter160 are written in a lower-level programming language (such as C++) andcompiled to native code.

Referring now to FIG. 4, an illustrative method 400, which may beimplemented as one or more computer-executable instructions, routines,or processes by which the MEC system call intercepter 162 maypre-process system call information at runtime, is shown. As a result ofthe work of the MEC redirecter 160 prior to execution of the repackagedsoftware application 130, the MEC system call intercepter 162 is invokedduring execution of the repackaged software application 130 each timethe repackaged software application 130 initiates a system call that hasbeen redirected by the MEC redirecter 160. Thus, block 410 is shown withdashed lines to indicate that it is the repackaged software application130, not the MEC system call intercepter 162, that performs block 410.When the repackaged software application 130 invokes a system call atblock 410, the program flow is redirected to the MEC system callintercepter 162 before the system call is executed, as a result of thedynamic linking done earlier by the MEC redirecter 160.

At block 412, the MEC system call intercepter 162 pre-processes theintercepted system call and/or its arguments, to determine the nature orintent of the system call. For example, if the intercepted system callis a call to the connect( ) function in the native C library (e.g.,libc.so), the arguments may include a target IP address and port, and/orothers. The MEC system call intercepter 162 may parse or otherwisereformat or process the argument(s) to put them into a form that can befed to and used by the MEC policy enforcer 164. When the MEC system callintercepter 162 encounters a system call that involves an inter-processcommunication (e.g., a call to the ioctl( ) function in libc.so), thearguments may include the type of IPC requested (e.g., a call to thecamera application), and, embedded in the IPC request, the arguments forthe call to the camera application (e.g., instructions for the cameraapplication, such as whether to turn the camera on, off, take a picture,etc.). Thus, additional pre-processing may be needed to extract the IPCparameters from the system call arguments and reconstruct them in a formthat can be passed to and used by the MEC policy enforcer 164. In theillustrative embodiments, the MEC system call intercepter 162 is writtenin a lower-level programming language (such as C++) and compiled tonative code. The pre-processed system call and arguments are passed(e.g., as parameters) to the MEC policy enforcer 164 at block 414.

Referring now to FIG. 5, an illustrative method 500, which may beimplemented as one or more computer-executable instructions, routines,or processes by which the MEC policy enforcer 164 may enforceapplication-based privacy, security, performance and/or other policiesduring execution of the repackaged software application 130, is shown.In the illustrative embodiments, the MEC policy enforcer 164 is invokedby the MEC system call intercepter 162. At block 510, the method 500receives the intercepted system call and its arguments from the MECsystem call intercepter 162 (e.g., as parameters).

At block 512, the method 500 analyzes the intercepted system call andargument information and determines which policy logic applies to thesystem call and/or arguments. For example, in some embodiments, a usermay have defined (e.g., during the repackaging done by the applicationrepackager 114) a policy that connect( ) system calls can be permittedfor certain target IP addresses, but not for others; or, that for thisparticular application, no connect( ) system calls should be permittedat all. Alternatively or in addition, the policy logic may pass thetarget IP address information to a domain registry or blacklistingservice (e.g., BOTHUNTER) to determine at runtime whether the target IPaddress is known or suspected to be malicious. As another example, insome embodiments, a user may have defined (e.g., during the repackagingdone by the application repackager 114) a policy that ioctl( ) systemcalls can be permitted for certain target applications, but not forothers; or for certain features of the target application but only withthe user's consent (for example, to turn on the camera but to prompt theuser before taking any pictures). In some embodiments, the MEC policyenforcer 164's policy logic is configured during repackaging by theapplication repackager 114 in accordance with the policies 166. Thus, inthose embodiments, there may not be any need to access the policiesdatabase 166 at runtime, but only to execute the policy logic. In otherembodiments, the MEC policy enforcer 164 may be configured to access thepolicies 166 at runtime.

At block 514, the method 500 determines, based on the policy logic,whether to proceed with the intercepted system call without user input.If the method 500 determines that the system call should not be executedwithout user input, then at block 516 the method 500 determines whetherto prompt the user for input as to whether to continue with the systemcall or to simply quit the system call. If the policy logic indicatesthat the user should be prompted for input, then at block 518, a warningmessage and prompt is displayed (e.g., via the user interface 118).After receiving user input at block 518, the method 500 returns to block514 and either proceeds with the system call based on the user input orskips over or aborts (or otherwise does not execute) the system call.

In some embodiments, as shown by the exemplary user interface 118, themethod 500 may ask the user whether to store the user's input for futureuse. Thus, if at block 518 the user answers “Yes” to proceed with thesystem call and “Yes” to remember that decision, then the next time therepackaged application 130 attempts to invoke the same system call(and/or other similar or related system calls), the MEC policy enforcer164 may proceed directly from block 514 to block 526 based on the storeduser input.

If, at block 516, the policy logic indicates that the system call shouldbe aborted without user input, then the method 500 proceeds to block520. At block 520, the method 500 determines based on the policy logicwhether to not execute the system call or to quit executing the entireapplication. If the method 500 determines that the entire applicationshould be ended, then at block 522 execution of the repackaged softwareapplication 130 is ended. If the method 500 determines that the systemcall should not be executed but the execution of the repackaged softwareapplication 130 may otherwise continue, then at block 524, the method500 skips or aborts the system call (or otherwise does not execute thesystem call) and continues the normal execution of the repackagedsoftware application at block 528.

If, at block 514, the method 500 determines, based on the policy logicand/or user input, that the system call can be executed, then at block526, the method 500 jumps to the system call and executes the systemcall as originally invoked by the repackaged software application 130.At block 526, the method 500 may access the preserved original copy ofthe mapping table created by the MEC redirecter 160 at block 314 of FIG.3 to determine the actual memory location of the system call. The method500 returns control to the repackaged software application 130 at blocks524 and 526, and the repackaged software application 130 continuesnormal execution at block 528. In the illustrative embodiments, the MECpolicy enforcer 164 is written in a higher-level programming language(such as JAVA) and compiled to executable code (e.g., dex bytecode).

Referring now to FIG. 6, an illustrative embodiment of a computingdevice 600, in connection with which aspects of the security, privacy,performance, and/or other monitoring and enforcement system 100 may beimplemented, is shown. For example, either and/or both of the computingdevices 110, 112 may be implemented with one or more of the features ofthe computing device 600. The illustrative computing device 600 includesat least one processor 610 and an input/output (I/O) subsystem 612. Theprocessor 610 includes one or more processor cores (e.g.microprocessors). The I/O subsystem 612 typically includes, among otherthings, an I/O controller, a memory controller, and one or more I/Oports (not shown). The processor 610 and the I/O subsystem 612 arecommunicatively coupled to a memory 614. The memory 614 may be embodiedas any type of suitable memory device, such as a dynamic random accessmemory device (DRAM), synchronous dynamic random access memory device(SDRAM), double-data rate dynamic random access memory device (DDRSDRAM), and/or other volatile memory device.

The I/O subsystem 612 is communicatively coupled to at least one inputdevice 616, at least one data storage 618, at least one output device620, one or more peripheral devices 622 (optional), and at least onenetwork interface 624. The input device 616 may include a keyboard,keypad, touch screen, microphone, or other suitable device for acceptinginput from a user (e.g., via user interfaces 116, 118). The outputdevice 620 may include a text, graphics, and/or video display screen,speaker, or other suitable device for presenting output (e.g. warningmessages and prompts such as shown by user interface 118), to the user.The peripheral device(s) 622 may include, for example, cameras, mediaplayers or recorders, GPS devices, graphics, sound and/or videoadapters, and/or others, depending upon, for example, the intended useof the computing device 600.

The network interface 624 communicatively couples the computing device600 to one or more networks 634, which may include a local area network,wide area network, personal cloud, enterprise cloud, public cloud,and/or the Internet. Accordingly, the network interface 624 may includea wired or wireless Ethernet adapter, WIFI adapter or other suitabledevice as may be needed, pursuant to the specifications and/or design ofthe particular network 624.

The illustrative data storage 618 includes one or morecomputer-accessible media, such as one or more hard drives or othersuitable data storage devices (e.g., memory cards, memory sticks, and/orothers). In the illustrative embodiment, an operating system 626 and adevice-specific security system 650 reside in the data storage 618. Theoperating system 626 is, for example, a MICROSOFT WINDOWS, LINUX, IOS,or other operating system, or other similar set of instructions, whichmay be designed specifically for a particular type of computing device,for example, a discrete, handheld, or portable electronic device orsmartphone. The device-specific security system 650 is, for example, anapplication permission system such as the ANDROID install-timeapplication permission system described above, or other similar set ofcode or instructions, which may be designed specifically for aparticular type of computing device, for example, a discrete, handheld,or portable electronic device or smartphone.

In the illustrative example, the security, privacy, performance and/orother monitoring and enforcement system 100 includes an applicationsecurity manager 630, an application repackager 636, and one or moresecurity, privacy, performance, and/or other policy(ies) 632, 640. Atleast a portion of each of the application security manager 630, and thepolicy(ies) 632, 640 is stored in the data storage 618. Portions of theoperating system 626, application security manager 630, and thepolicy(ies) 632 may be copied to the memory 614 during operation, forfaster processing or for other reasons.

In some embodiments, the application security manager 630 may beembodied as a client application or front-end user interface for thesecurity, privacy, performance, and/or other policy monitoring andenforcement system 100, while a back end or server application (e.g.,the application repackager 636) may reside on the network 634.Similarly, the policy(ies) 632, 640 may include some policies that arelocal to the computing device 600, such as user-, device-, and/orapplication-specific policies; while other aspects of the policy(ies)632, 640, which may be user-, device-, and/or application-independent,for example, may reside on the network 634. In other embodiments, theentire security, privacy, performance and/or other monitoring andenforcement system 100 may be stored in the data storage 618 of thecomputing device 600.

In some embodiments, the application security manager 630 may belaunched automatically each time a user of the computing device 600attempts to, or has already, downloaded an application 628, 638. Inother embodiments, the application security manager 630 may be invokedto upload an application to the network 634 to be repackaged by theapplication repackager 636. The application security manager 630 mayinvoke the application repackager 636 to create the repackagedapplication 628, 638 and replace the original application on thecomputing device 600 and/or the network 634 with the repackagedapplication 628, 638 as shown in FIG. 6.

The computing device 600 may include other components, sub-components,and devices not illustrated in FIG. 6 for clarity of the description. Ingeneral, the components of the computing device 600 are communicativelycoupled as shown in FIG. 6, by one or more signal paths, which arerepresented schematically as bidirectional arrows. Such signal paths maybe embodied as any type of wired or wireless signal paths capable offacilitating communication between the respective devices.

While aspects of this disclosure have been illustrated and described indetail in the drawings and in the foregoing description, suchillustrations and description are to be considered as exemplary and notrestrictive in character, it being understood that only illustrativeembodiments have been shown and described and that all changes andmodifications that come within the spirit of the disclosure are desiredto be protected. Further, while certain aspects of the presentdisclosure have been described in the context of an exemplary smartphoneimplementation, it will be understood that the various aspects areapplicable to other mobile device configurations (including ANDROID,APPLE IOS and/or others) and have other applications, for example, anyapplication in which it is desired to provide security, privacy,performance, and/or other monitoring at the application level. Suchapplications may include, for example, application “vetting” servicesand/or application developer solutions such as performance ratingsystems, security validation systems, and vulnerability testing systems,as well as application “store” or “market” services and otherconsumer-oriented services, including trusted application indicators andanti-virus software, for example.

In addition, aspects of this disclosure are applicable to electronicdevices other than smartphones, including devices that may not typicallybe considered “mobile.” For example, the computing device 600 may beembodied in or as any type of computing device capable of performing thefunctions described herein. For example, the computing device 600 may beembodied as a cellular phone, a smartphone, a mobile Internet device, ahandheld, laptop or tablet computer, a personal digital assistant, atelephony device, or other portable electronic device. Also, while nottypically considered “mobile” in so far as that term may be inferred bysome as referring to a handheld device, it should be understood thataspects of this disclosure are applicable to other types of electronicdevices, such as desktop computers, servers, enterprise computersystems, networks of computers, Internet-enabled televisions or otherelectronic appliances, or other electronic device(s) that are capable ofperforming the functions described herein, depending on the particularimplementation of the security, privacy, performance and/or other policymonitoring and enforcement system 100.

1.-15. (canceled)
 16. A system for enforcing a privacy or securitypolicy associated with a software application on a mobile computingdevice, the system to cause the mobile computing device to: interceptsystem calls issued by the software application; for each interceptedsystem call: determine an argument of the intercepted system call; andexecute policy logic to analyze the system call and the argument of theintercepted system call; and permit execution of an intercepted systemcall to continue if the policy logic determines that the combination ofthe intercepted system call and the argument of the intercepted systemcall is permitted by the privacy or security policy associated with thesoftware application.
 17. The system of claim 16, wherein the system isto cause execution of the intercepted system call to at least temporarydiscontinue if the policy logic determines that (i) the interceptedsystem call is permitted by the privacy or security policy associatedwith the software application and (ii) the argument of the interceptedsystem call is not permitted by the privacy or security policyassociated with the software application.
 18. The system of claim 16,wherein the system is to cause execution of the intercepted system callto at least temporary discontinue if the policy logic determines thatthe intercepted system call is not permitted by the privacy or securitypolicy associated with the software application.
 19. The system of claim16, wherein the system is to (i) intercept system calls having anargument that identifies a network address and (ii) permit execution ofthe intercepted system calls if the policy logic determines that thenetwork address is permitted by the privacy or security policyassociated with the software application.
 20. The system of claim 19,wherein the system is to pass the network address to a blacklistingservice to determine if the network address is permitted by the privacyor security policy associated with the software application.
 21. Thesystem of claim 19, wherein the system is to pass the network address toa domain registry service to determine if the network address ispermitted by the privacy or security policy associated with the softwareapplication.
 22. The system of claim 16, wherein the system is to (i)intercept system calls having an argument that identifies a networkaddress and (ii) at least temporarily discontinue execution ofintercepted system calls if the policy logic determines that the networkaddress is not permitted by the privacy or security policy associatedwith the software application.
 23. The system of claim 16, wherein thesystem is to (i) intercept system calls having an argument thatidentifies a target application for an inter-process communication and(ii) permit execution of the intercepted system calls if the policylogic determines that inter-process communication with the targetapplication is permitted by the privacy or security policy associatedwith the software application.
 24. The system of claim 16, wherein thesystem is to (i) intercept system calls having an argument thatidentifies a target application for an inter-process communication and(ii) at least temporarily discontinue execution of the interceptedsystem calls if the policy logic determines that inter-processcommunication with the target application is not permitted by theprivacy or security policy associated with the software application. 25.The system of claim 16, wherein the system is to (i) intercept systemcalls having an argument that identifies a target application for aninter-process communication, (ii) determine if the inter-processcommunication with the target application is permitted by the privacy orsecurity policy associated with the software application; and (iii)prior to completing the inter-process communication with the targetapplication, by an output device of the mobile computing device, outputa notification.
 26. The system of claim 25, wherein the system is to, byan input device of the mobile computing device, receive a response tothe notification, store the response to the notification, and apply theresponse to the analysis of a subsequent system call or to the analysisof an argument of the subsequent system call.
 27. The system of claim26, wherein the system is to permit execution of subsequent system callsbased on the response.
 28. The system of claim 26, wherein the system isto at least temporarily discontinue execution of subsequent system callsbased on the response.
 29. A system for associating a privacy orsecurity policy with a software application for a mobile computingdevice, the system to: configure monitoring and enforcement code toimplement the privacy or security policy by specifying, with themonitoring and enforcement code: (i) a combination of a type of systemcall and an argument of the system call that is permitted by the privacyor security policy; and (ii) a combination of a type of system call andan argument of the system call that is not permitted by the privacy orsecurity policy; and create an application package comprising thesoftware application and the monitoring and enforcement code.
 30. Thesystem of claim 29, wherein the system is to configure the monitoringand enforcement code to identify combinations of system calls andarguments that cause a privilege escalation on the mobile computingdevice.
 31. The system of claim 29, wherein the system is to configurethe monitoring and enforcement code to prevent the software applicationfrom activating a camera or voice recorder of the mobile computingdevice in response to a combination of a system call and an argument ofthe system call.
 32. The system of claim 29, wherein the system is toconfigure the monitoring and enforcement code to prevent the softwareapplication from accessing a network address in response to acombination of a type of system call and an argument of the system callthat is not permitted by the privacy or security policy.
 33. The systemof claim 29, wherein the system is to configure the monitoring andenforcement code to analyze a network address specified as an argumentto a system call by accessing a network address registry or blacklistingservice.
 34. The system of claim 33, wherein the system is to configurethe monitoring and enforcement code to at least temporarily discontinueexecution of a system call in response to analysis of a network addressspecified as an argument to the system call by the network addressregistry or blacklisting service.
 35. The system of claim 29, whereinthe system is to configure the monitoring and enforcement code toidentify combinations of system calls and arguments that are associatedwith inter-process communications that are not permitted by the privacyor security policy.